register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

Union Planters bank- 'Customer Alerting Service - Account is on hold'
11-Apr-2005

Summary
Email title: 'Customer Alerting Service - Account is on hold'
Scam target: Union Planters bank customers
Sender:

Union Planters Customer Support <online@unionplanters.com>
Sender spoofed/hidden? Yes
Scam goal: Getting victim's Union Planters username/password, credit cad information.
Phish link method URL link
Link 'masked'? No
Visible link: http://www.unionplantersonlinebank.com/upib/index.html?=update
Actual link to: http://www.unionplantersonlinebank.com/upib/index.html?=update
Phish site IP : 61.55.138.122
 
Analysis contributed by: Tumbleweed Communications - Message Protection Lab
 
Overview
 
This is a well designed but technically simple. Widespreaded the last couple of days.
 
E-mail
 
The email is pretty convincing:
 
 
What could be noticed is the unusual URL for the bank site. But it is cleverly chosen to decieve the potential victim. In addition, the sender is spoofed to look like it is from the real bank site, and a discrepancy can be noticed - the sender is from 'unionplanters.com', and the link takes to 'unionplantersonlinebank.com'.
 
Web Site
Visible link: http://www.unionplantersonlinebank.com/upib/index.html?=update
Actual link to: http://www.unionplantersonlinebank.com/upib/index.html?=update
Phish site IP: 61.55.138.122
 

The site does not use any tech tricks - the phishers bet is on the convincing design and the URL similarity.

First, a login screen comes up:

 
 

The most notable phishing clue is the lack of a security certificate and a 'https' session. The legitimate site would have a secure login.

As usual with such scams, the second page asks for credit card information:

 
 
The site would not perform any checks on the data entered. As soon as a field is not empty, it will pass. A simple logout screen will follow the second page, after which the browser will be redirected
to a 'policies ' page on the legitimate site.
 
WHOIS data (for IP 61.55.138.122) :

Domain Name : unionplantersonlinebank.com

Name Server: NS1.VANETHERLANDS.COM NS2.VANETHERLANDS.COM
ICANN Registrar: YESNIC CO. LTD.
Created: 03-apr-2005
Expires: 03-apr-2006

::Registrant::
Name : eric h rockwell
Address : 10331 w girton dr.
Zipcode : 80227
Nation : US